diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 8cc9faac4b9c..a572b13d086f 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -28,6 +28,7 @@
 #include <linux/ioctl.h>
 #include <linux/security.h>
 #include <linux/hugetlb.h>
+#include <linux/pgsize_migration.h>
 
 int sysctl_unprivileged_userfaultfd __read_mostly;
 
@@ -1511,7 +1512,7 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
 		 * the current one has not been updated yet.
 		 */
 		vm_write_begin(vma);
-		WRITE_ONCE(vma->vm_flags, new_flags);
+		WRITE_ONCE(vma->vm_flags, vma_pad_fixup_flags(vma, new_flags));
 		rcu_assign_pointer(vma->vm_userfaultfd_ctx.ctx, ctx);
 		vm_write_end(vma);
 
@@ -1694,7 +1695,7 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
 		 * the current one has not been updated yet.
 		 */
 		vm_write_begin(vma);
-		WRITE_ONCE(vma->vm_flags, new_flags);
+		WRITE_ONCE(vma->vm_flags, vma_pad_fixup_flags(vma, new_flags));
 		rcu_assign_pointer(vma->vm_userfaultfd_ctx.ctx, NULL);
 		vm_write_end(vma);
 
diff --git a/mm/madvise.c b/mm/madvise.c
index 410f366b5df4..7d386e9051fb 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -172,7 +172,7 @@ static long madvise_behavior(struct vm_area_struct *vma,
 	 * vm_flags is protected by the mmap_lock held in write mode.
 	 */
 	vm_write_begin(vma);
-	WRITE_ONCE(vma->vm_flags, new_flags);
+	WRITE_ONCE(vma->vm_flags, vma_pad_fixup_flags(vma, new_flags));
 	vm_write_end(vma);
 
 out_convert_errno: